Updated gnupg gnupg2 packages fix a security vulnerability
Publication date: 19 Jun 2018Modification date: 19 Jun 2018
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2018-12020
Description
Updated gnupg, gnupg2, and python-gnupg packages fix security vulnerability:
Marcus Brinkmann discovered that during decryption or verification, GnuPG did
not properly filter out terminal sequences when reporting the original
filename. An attacker could use this to specially craft a file that would
cause an application parsing GnuPG output to incorrectly interpret the status
of the cryptographic operation reported by GnuPG (CVE-2018-12020).
References
- https://bugs.mageia.org/show_bug.cgi?id=23162
- https://neopg.io/blog/gpg-signature-spoof/
- https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
- http://openwall.com/lists/oss-security/2018/06/13/10
- https://usn.ubuntu.com/3675-1/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
SRPMS
6/core
- gnupg-1.4.23-1.mga6
- gnupg2-2.1.21-3.1.mga6
- python-gnupg-0.3.8-2.1.mga6
5/core
- gnupg-1.4.19-1.4.mga5
- gnupg2-2.0.27-1.2.mga5
- python-gnupg-0.3.6-4.1.mga5